CVE-2026-47215

描述

### Impact The `limit container paths` directive in `singularity.conf` is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed. For example, the configuration: ``` limit container paths = /data/safe ``` Will also allow containers in `/data/safe-but-unsafe` to be run. ### Patches This issue is patched in SingularityCE 4.4.2 and SingularityPRO 4.3.9 / 4.1.14 ### Workarounds If you do not use the `limit container paths` functionality, then this issue does not affect your installation. If you do use the `limit container paths` functionality then you must update. Please also review the documented limitations when user namespaces are enabled [1].

如何修補 CVE-2026-47215

要修補 CVE-2026-47215,請將受影響套件升級到下列已修補版本。

• —未列出修補版本
• —升級至 4.4.2 或更新版本

CVE-2026-47215 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47215 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(2)

• from 0, <= 3.1.1
• from 0, < 4.4.2

CVSS 分數

參考連結(5)

• PATCHgithub.com/sylabs/singularity
• WEBdocs.sylabs.io/guides/latest/admin-guide/configfiles.html#limiting-container-execution
• WEBgithub.com/sylabs/singularity/commit/c08791793e843d4c9c1f2fc1d9d12abef747378f
• WEBgithub.com/sylabs/singularity/releases/tag/v4.4.2